This blog comments on a variety of technology news, trends, and products and how they connect. I'm in Red Hat's cloud product strategy group in my day job although I cover a broader set of topics here. This is a personal blog; the opinions are mine alone.

Thursday, August 23, 2012

Ellen Newlands is the product manager for Red Hat's cloud security productds. This dicussion covers some of the ways that the "cloud"--large-scale network-connected computing really--introduce new challenges for IT security. Topics include:

Gordon:
Although there are still headlines every now and then about the Cloud
being insecure as some macro thing, most observers at this point realize that
these blanket statements really don't have any meat to them.

Ellen:
Gordon, I completely agree with you on that score. Whether the Cloud is
secure or insecure depends on a number of things. It depends on what kind of
Cloud computing you choose, whether you go with public or private or a
combination of the two, hybrid Cloud, who you choose for your Cloud provider,
what kind of technology you pick, what is your use case, and how carefully you
have set up and thought out what information you are putting in the Cloud and
how best to secure that as you move to Cloud computing. There are a number of
factors to consider with what you call or we call Cloud secure computing. One
of the first things I think that we really ought to think about is going into
the Cloud, public Cloud, for example, can actually make you more secure
depending on the level of expertise and the kind of programs you had for
security on premise in your enterprise or your agency.

You
can find that there are public Cloud providers who can give you a more holistic
view of security and provide you with even better security than you might
previously have had. And, of course, as we see from the number of break‑ins,
the opposite can also be true.

Gordon:
One of the things that I think is often overlooked is that people raise
various types of issues related to public cloud providers, whether it's
security or really more commonly it's outages of various types. Obviously, we
conflate things like social networks into there. There's lots of questions and
issues around privacy and so forth, also. I think often that discussion takes
place in a way that ignores the fact that particularly when you're talking
smaller businesses, in many cases businesses that don't have full time IT
staff. Those types of businesses haven't historically had very good security
backup or really IT practices in general.

Ellen:
I think that that is actually true, especially now, IT security expertise
is scarce and expensive and in great demand. Setting up your own internal
secure software network, bringing in those people, can be expensive and that's
very, very hard to judge. I think that security as provided by a knowledgeable
public cloud provider can, in many cases, up your security rather than reduce
it.

Another
thing that I think I've found very interesting is you still read about security
breaches in the public cloud. It is interesting to me that many of the breaches
that you read about in the public cloud have nothing to do with public cloud
computing and are the same old scams that we have always seen on premise and
now just move, perhaps, to cloud providers.

One
of the ones I think is very interesting recently was a fellow who writes for
many of the security journals. He had his account hacked and lost information
at Google and Amazon, et cetera because somebody called up the support services
and talked them into giving out the password. Same old same old, same old
wetware.

Gordon:
Social engineering plays a huge part in those break‑ins. I think this
does reveal, though, some of the tension that you have here because, in the
case that you mentioned involving Apple and Amazon, social engineering a
password. Of course, one approach that those types of companies can take is to
simply say, "Well, if you have lost the key, so to speak, to your account,
that's just too bad because...So that we don't risk exposing someone else's
through social engineering."

It
is somewhat of a trade‑off that the easier you make it for someone to recover
an account of theirs, for example, the harder you make it for somebody who has
a legitimate need to recover an account, which is frankly probably the more
common instance, at least with consumer services.

Ellen:
As you know, one of the things that we're seeing used in public cloud or
even in enterprise security is identity management. Two of the areas that are
very common now are what we call two factor authentication, sometimes known as
something you have and something you know.

Gordon:
If you haven't turned on two factor authentication for your Google
account, finish listening to this podcast but then go off and do that right
away.

Ellen:
Let's say it's something you have and something you know, traditionally.
It's something that you have like a token, et cetera and something that you
know like your own PIN. If you lose one, you still know the other. Both are
"secrets," and the combination is what unlocks your account. You find
the two factor authentication is far more secure and you can recover one
without the other without jeopardizing the private account.

The
other thing that we see a lot of now, as you may know, are the security questions
where you fill out the forms in advance with information theoretically known
only to you, although, I personally believe everybody's first pet was named
"Sam." This set of what I'm going to call "20 questions" is
also a way to identify you.

Gordon:
So many of those questions are terrible, though, because so many of them
are either things that someone who has any appreciable information about you
they do know or can easily find out, or they're questions like, "What's
your favorite color?" which may vary from one day to the next.

Ellen:
Absolutely. And remembering your own information sometimes can be a
little bit difficult.

Gordon:
Let's switch gears here maybe a little bit. I think, hopefully, we've
made the case that security in some macro sense isn't worse in the cloud than
anything else, even in the public cloud. But I think we can still say that some
security concerns are somewhat different in the cloud, especially with public
cloud, but even in private cloud resources. What are some of those that
security's different?

Ellen:
Well, security is different when you move from your traditional way of
managing IT into the cloud. Again, as you point out, whether that is a public
or a private cloud. One of the things that's different is, on average, you'll
have more servers on the Internet when you're in a cloud architecture. The more
servers you have on the Internet, the more exposed, frankly, you are. When you
have moved from using VPN technology to allowing access to all users with
certain credentials, the more entry points you have given to malicious users to
hack into your larger network.

A
second area where cloud computing is quite different, especially with public
cloud computers, is the concept of what we call "multi‑tenancy." A
public cloud offers space‑‑think of it like the apartments in a large apartment
building. Each area that the public cloud provides, each container, is assigned
to one account, one company, whatever.

In
a multi‑tenancy area, you don't want one "tenant" to get out of their
container and start wreaking havoc in the others, either by design or by
accident.

One
of the things to really consider is making sure that the containers in a multi‑tenant
environment have fairly secure walls. Again, an analogy would be you don't want
to make it real easy for malicious neighbors to just wander into your own
apartment in an apartment complex.

Gordon:
Yes, I think I'd probably take a couple of things away there. The first
is that you assume that everything is on the network, and that there are bad
people out there who are constantly probing everything that is on the network.
So, it's really important to have security.

If
you have a PC‑‑by way of analogy‑‑sitting at home 15, 20 years ago, not
connected to a network or dialup modem, if you weren't 100 percent up to date
with everything, maybe you'd get a virus or something, but by and large, it
really wasn't that big a deal if you hadn't updated your security stuff in a
while.

If
you're in a computer that's constantly connected to a public network, whether
we're talking about client or a server device, bad stuff can happen very
quickly.

Ellen:
I think, of course, that's absolutely true. When you say you must assume
that there are bad people out there probing, increasingly, of course, bad people
are frankly bad corporations. There are businesses run nine to five whose sole
purpose is to find and exploit any weaknesses in security and take whatever can
make them a profit. As such, that's one of the reasons why in theory moving
into a public cloud can be safer because public clouds from reputable vendors
are updated. They are patched consistently on time and quite thoroughly.

Gordon:
You also mention multi‑tenancy, and, obviously, you get multi‑tenancy on
premise or multi‑tenancy in a public cloud. But multi‑tenancy is pretty
fundamental to how and what public clouds operate. So, I think it's fair to say
that a reputable public cloud is using technology such as Security‑Enhanced
Linux, for example, that has some really good mechanisms to provide that
additional level at process level for security for multi‑tenant environments.
Now configuring SELinux isn't necessarily the easiest thing in the world. So,
again, going back to how secure is a public cloud versus a SMB. Well, it's
quite fair to say that most SMBs aren’t properly exploiting SELinux whereas
that, along with other techniques and other technologies, large reputable Cloud
providers certainly are.

Ellen:
That's a very good point, Gordon. The Red Hat Enterprise operating system
is foundational and is used in the largest number of available public Clouds
and SaaS offerings today. It's very well installed. Part of the reason for that
is because it does have the security features that allow for more secure multi‑tenancy,
more secure virtualization. For example, the SE Linux that you mentioned, the
fact that the operating system itself is common criteria certified.

One
of the things I think to bring into focus, too, is that open source software
means that it's been peer group reviewed. It's transparent. It's open to the
sunshine. Errors are found. Bugs are found and patched relatively rapidly.

You
do find that these fundamental, base level layers that underpin a public Cloud
can be very useful in providing security.

Gordon:
It's actually a little ironic when you go back to early days of open
source becoming really mainstream. By way of analogy, [a lot of people back
then thought] even if you thought you had a good alarm system, you wouldn't put
the schematics on your door for a potential burglar to see. For a lot of people,
who weren't necessarily in the security industry, didn't understand how
exploits happen. They just assumed open source must be less secure because that
the people could see the code. Write exploits because they can see the code. Of
course, that's not how most exploits happen.

Ellen:
No, as a matter of fact, it's not at all. The fact that you can see the
code, that it is transparent, that there is a large international group that
uses the code, that inspects the code, means that it becomes more secure rather
than less so.

Gordon:
Thanks for spending some time with me today. I think, hopefully, doing a
little bit more on our part to show there's nothing inherently insecure about
the cloud, whether we're talking public clouds or private clouds. At the same
time, educating people about things that they need to think about. I'm not sure
it's so much the cloud, but simply a world in which increasingly everything is
network connected, and there are bad actors trying to take advantage of that
fact.

Ellen:
I agree. I think that the one thing to always bear in mind is that your
data, your information can be lost, can be stolen, can be compromised, whether
you're using public cloud, private cloud or a hybrid, is to take whatever steps
are necessary to layer on the security that gives you the protection at the
level of the value of the information you're protecting.

Gordon:
That's a good point. Everything, at the end of the day, is about
mitigation. There's no such thing as a 100 percent elimination of risk, 100 percent
security. If you're talking nuclear launch codes, that is probably a little
different from pictures of your cat. Basically, as you say, the backup
procedures, encryption, whatever, the cost in both dollar cost and time and
effort on your part, shouldn't be out of whack with the value of the data and
the privacy associated with that data.

Ellen:
It does seem that a lot of companies now, things that they choose to run
in the public Cloud are the things that are, perhaps, consumer based where the
security capabilities match the value of the information. Some things that are
extremely proprietary are kept in the private Cloud. The combination makes for
great flexibility, faster deployments, and very reasonable economics.

Gordon:
That also speaks to why hybrid is a big deal and why Red Hat is making a
lot of noise around opening hybrid because it really is a mixed world.

Ellen:
As you say, just as Cloud computing is neither secure nor insecure,
public and private Clouds are neither the right choice nor the wrong choice.
It's nice to have a little of both.

Monday, August 20, 2012

BYOD gaining ground as employees increasingly need mobile access - ""What has happened is everyone started building castles around your data and assumed that the data was going to be contained within the network. …Then it became very apparent that that's not going to be a solution for the long term. Now we need to protect the data wherever it is," said Andrew Storms, director of security operations at nCircle Network Security, a San Francisco-based security auditing firm."

Friday, August 17, 2012

I'm wrapping up the week putting the final touches on my Beyond Open Source in the Cloud presentation for CloudOpen week after next. The next week is going to be crazy; I need to get everything ready for VMworld and CloudOpen and then vacation in the Sierras the week after that.

Openness doesn’t stop and end with the submission of some format to a standards body or with the announcement of partners endorsing some specific technology platform. It doesn’t stop and end with open source either. An open cloud isn’t about having some singular feature. It’s about maximizing a wide range of characteristics that push the needle from closed to truly open. These include open source and open standards for sure. But they also include portability of applications and data, viable and independent communities, freedom from IP encumbrances, and APIs that are independent of specific implementations.

I've previously given a "lightning" version of this presentation at CloudCamp and some of the material is touched on during my broader cloud presentations. However, for this event, I've fleshed out my discussion of the various aspects of openness. The whole topic is very timely.

One need only look to Twitter API Apocalypse version 2,654 this past week to see just how timely. (And the fact that there's a story about APIs on CBS says something about just how important APIs--and, by extension other aspects of openness--to the modern computing world even for those who have never written a line of code in their lives.

Red Hat CEO: The nuts and bolts of open source | ITworld - "Specifically, Whitehurst described the invention of the auto lathe in 1810 by Henry Maudslay, which enabled the mass production of standardized hardware, such as nuts and bolts. It would be the availability of such standardized components, approximately 60 years into the Industrial Age, that would spawn a massive explosion of innovation around industrial products."

Magazines Don’t Have a Digital Problem, They Have a Bundling Problem | PandoDaily - "We will always need editors to commission and shape strong stories, but we don’t need them so much to bundle disparate pieces of content into one immutable chunk. Instead, many of the most savvy readers prefer to consume magazine journalism piece by piece, taking note of the source from which it sprung, but not necessarily paying heed to whatever else happened to be placed alongside it in that source that particular week or month. "

A VC: Open Protocols - RT @mathewi: "I believe in open protocols and open APIs. That is what the web was built on" -- Fred Wilson <

Tuesday, August 14, 2012

Federal Cloud and the Reactionary Skeptic | a technology job is no excuse - "The trouble with the Reactionary Skeptic is that it’s a bloodless position. There’s no vision. The article is filled with warnings without a single suggestion for improving the situation. Altogether, the message being communicated to government is: Be Afraid. This kind of article encourages a fearful conservatism, which is the most toxic trait in government managers today."

Monday, August 13, 2012

As part of Red Hat's announcement of an OpenStack technology preview today, I wrote a blog that provides some additional background. Here, I'm going to delve a bit more deeply into one of the topics that I cover in that blog--namely, how do the different pieces of Red Hat's open hybrid cloud portfolio fit together? I'll be referring to the below diagram throughout this discussion.

First, there is the infrastructure layer. This typically [1] consists of a hypervisor, its associated infrastructure management stack, and APIs providing the ability to control that management stack programmatically.

This is where OpenStack plays. OpenStack is an IaaS solution that manages a hypervisor and provides cloud services to users through self-service. (The OpenStack project supports a variety of hypervisors to various degrees; Red Hat is focused on KVM--the hypervisor used by Red Hat Enterprise Virtualization--which is part of Linux and has become pretty much the default open source hypervisor.) Perhaps the easier way to think of OpenStack, however, is that it lets an IT organization stand up a cloud that looks and acts like a cloud at a service provider. That OpenStack is focused on this public cloud-like use case shouldn't be surprising; service provider Rackspace has been an important member of OpenStack and uses code from the project for its own public cloud offering.

This IaaS approach differs from the virtualization management offered by Red Hat Enterprise Virtualization, which is more focused on what you can think of as an enterprise use case. In other words, Red Hat Enterprise Virtualization supports typical enterprise hardware such as storage area networks and handles common enterprise virtualization feature requirements such as live migration. Both OpenStack and Red Hat Enterprise Virtualization may manage hypervisors and offer self-service—among other features—but they're doing so in service of different models of IT architecture and service provisioning.

Alternatively, the self-service infrastructure may be at a public cloud provider such as Amazon Web Services or Rackspace. Ultimately the goal is to make the underlying infrastructure decisions largely transparent to the consumer of the resources, such as a developer. Of course, where the resources are located, how they are managed, and what types of hardware functions they expose make a big different to the ops team. But they're deliberately abstracted from those developing and using applications.

Then there is open, hybrid cloud management of those “cloud providers.” These providers can consist of the various types of infrastructure just described: on-premise IaaS like OpenStack, public IaaS clouds, and virtualization platforms (not just a hypervisor) like Red Hat Enterprise Virtualization or VMware vSphere. This is where Red Hat CloudForms comes in. CloudForms allows you to build a hybrid cloud that spans those disparate resources. It lets you build a "cloud of clouds" in a sense.

However, equally important, is that CloudForms provides the lifecycle management of the content and images that will run across the hybrid cloud infrastructure. For example, CloudForms lets you specify content repositories which feed the construction and ongoing management of single- and multi-tier applications through Application Blueprints created by IT administrators. These Application Blueprints also embed policy. When a user chooses an available application environment through the self-service interface, it can only be deployed to a location enabled by policy. For example, development environments may be deployed to a public cloud while production applications may be deployed to an on-premise virtualization platform.

Platform-as-a-Service (PaaS) is delivered by Red Hat OpenShift PaaS. PaaS is perhaps best thought of as an abstraction focused on the typical concerns of developers. Thus, instead of an operating system image-centric view (as an IaaS provides), PaaS is more oriented to a view that revolves around pushing and pulling code into and from repositories; the operation of the software needed to run that code is largely kept in the background.

Unlike a PaaS that is limited to a specific provider, OpenShift PaaS can run on top of any appropriately provisioned infrastructure whether in a hosted or on-premise environment. It then provides application multi-tenancy within the operating system images that make up the infrastructure. It does so using a combination of Linux Containers, SELinux for security isolation, and other Linux features. Red Hat's Matt Hicks spoke with me about some of these technologies in an interview a while back (podcast and transcript).

This approach allows organizations to not only choose to develop using the languages and frameworks of their choice but to also select the IT operational model that is most appropriate to their needs. The provisioning and ongoing management of the underlying infrastructure on which OpenShift PaaS runs is where virtualization, IaaS, and cloud management solutions come in. (After all, someone needs to operate the PaaS infrastructure whether it's on-premise or at a cloud provider.)

Nor does Red Hat Cloud end with "cloud products." For example, Red Hat Enterprise Linux--in addition to providing features used by offerings such as OpenShift--also provides a consistent and reliable runtime for applications as they move across different environments such as on-premise and public clouds. Red Hat Storage (from our Gluster acquisition) provides a distributed, scalable, software-only filesystem that will be an important part of data portability across clouds.

Sound complicated? It is a bit, I guess. But when you're talking about such a big change in the way that IT systems are operated and applications are consumed, some complexity is unavoidable. (Which is one reason we're so focused on solutions. But that's a topic for another day and another blog post.)

-------------------

[1] In a future version, CloudForms will be able to provision "bare metal" physical servers using Foreman/Puppet components. In this respect, CloudForms includes the ability to build an IaaS. However, for our purposes here, I'm going to focus on how CloudForms builds hybrid cloud resource pools on top of IaaS and virtualization management products and manages the applications running in those pools.

Thursday, August 09, 2012

Jonah Lehrer, TED, and the narrative dark arts | Felix Salmon - "And here’s the thing: for all that Jonah Lehrer ultimately wound up blogging for the New Yorker, he has always been a creature of TED much more than he has been a creature of journalism.* Check out Seth Mnookin’s post, today, on Jonah Lehrer’s missing compass: the way that Lehrer remixed facts in service of narrative is very TED"

Derrick Harris at GigaOm has a piece up about the "IT world's love-hate relationship" with OpenStack. It seems a balanced piece overall even if a lot of "Why the hate" either boils down to pre-foundation governance issues or generalized "concerns." The cynical might be inclined to label some of this as FUD coming from those with commercial interests opposed to OpenStack. If you attended GigaOm's Structure 2012 conference, you saw some of this dynamic in play in the debate over APIs. In a nutshell, does a popular de facto API like AWS trump APIs that are actually open? Contrary to the fervent denials one hears, from where I sit, there is very much an anti-OpenStack camp.

On the "love" side described by Harris, I'd add that, in addition to the "mega-vendor" and large end-user backers, there's also huge breadth of participation; April's OpenStack Conference in San Francisco had over 1,000 people registered. It's hard to argue against the proposition that OpenStack has a lot of momentum going for it.

Leaving aside the pro/con snippets though, Harris' overall conclusion strikes me as fair. Whether or not you agree that all the knocks on OpenStack that Harris details are truly newsworthy, his overall conclusion is pretty positive.

Perhaps it’s just par for the course that any project with so much hype, representing such a lucrative opportunity, and comprised of big egos all around is going to be a hotbed of in-fighting and allegations. But if the companies involved can hold OpenStack together enough to keep everyone headed in the same direction, it’s hard to see how it won’t be a major factor in the cloud space for a long time to come.

My employer, Red Hat, is a platinum member of the OpenStack Foundation.

What Happened To the Long Tail? - "For Shanks, the loss of physical shelf space, the proliferation of titles online, and growth of e-books sales means the promise of the long tail for print books has been permanently altered. “There is a long tail, but it is so long the units are small.”"

Friday, August 03, 2012

Following a successful test on five routes, Amtrak is expanding a digital ticketing program to all trains, enabling passengers to use their smartphones to present tickets to the conductor...

Passengers using a smartphone or other mobile device can present the eTicket to the conductor by opening the document from the email.

ETickets can also be printed from any printer, including at Amtrak ticket offices and Quik-Trak kiosks.

Additionally, passengers can also buy tickets and display eTicket bar codes with the Amtrak mobile application.

With the eTicket program, passengers can also easily change reservations and lost or misplaced tickets can be easily reprinted.

Following a successful test on five routes, Amtrak is expanding a digital ticketing program to all trains, enabling passengers to use their smartphones to present tickets to the conductor.

Nice. I actually don't find mobile tickets all that big a win with the airlines most of the time; it's just not usually that big a deal to get a boarding pass from an airport kiosk. (Although I typically print out my outbound boarding pass at home when I remember.)

But I use Amtrak, most often from Boston to New York, differently than I use planes. The timing of my outbound leg is pretty set--way too early in the morning. But, for my return, I'm usually in the position of guessing how an event or set of meetings is going to play out and taking a stab at a return time that may or may not turn out to make a lot of sense.

The problem is that, although you can change train ticket times without penalties, in practice dealing with lines at Penn Station and dealing with call queues with reservations can make changing a ticket more hassle than it's worth. If mobile tickets make the process a lot more streamlines, that's a big win.

Another mentioned advantage is that current Amtrak tickets, once issued, are essentially just like cash--as I know from experience--and are very hard to get refunded/replaced just as airline tickets once were.

For most purposes, this shift away from significant value being embedded in arbitrary bits of paper is a welcome one--but it does raise the stakes on back-end infrastructure. It has to be resilient and scalable. The network pipes going in and out have to be solid. It also potentially creates complications if always-connected mobile devices aren't, in fact, always connected (although mobile apps that store past transactions can help).

Because, increasingly, there just won't be a good manual fall-back if the digital systems don't work.

My Top Five Sessions at the CloudOpen Conference | The Linux Foundation - "Beyond Open Source in the Cloud - Gordon Haff, Red Hat. Openness doesn’t stop and end with the submission of some format to a standards body or with the announcement of partners endorsing some specific technology platform. It doesn’t stop and end with open source either. An open cloud isn’t about having some singular feature. It’s about maximizing a wide range of characteristics that push the needle from closed to truly open. These include open source and open standards for sure. But they also include portability of applications and data, viable and independent communities, freedom from IP encumbrances, and APIs that are independent of specific implementations."

About Me

I'm technology evangelist for Red Hat, the leading provider of commercial open source software. I'm a frequent speaker at customer and industry events. I also write extensively on and develop strategy for Red Hat’s hybrid cloud portfolio.

Prior to Red Hat, as an IT industry analyst, I wrote hundreds of research notes, was frequently quoted in publications such as The New York Times on a wide range of IT topics, and advised clients on product and marketing strategies. Among other hobbies, I do a lot of photography and enjoy the outdoors.